KillEmAll

The best usage case for KillEmAll to most users is to close all open web browser windows if you get a suspected malicious popup while visiting a website.  The reason you don’t simply close or “X out” the popup is because malicious code can be run even if you click the X button — it is after all just another button, you might as well be clicking “OK” or “Yes, please do what you want with my PC…” but if you don’t click anything and KillEmAll does the work, forcing the application’s process to close without any additional code execution.

• Other tasks that benefit from the advantage of quickly and forcefully closing all applications:
  • before performing maintenance on your PC,
  • before and during general troubleshooting,
  • or before playing resource intensive games.

Simply run the .exe (from anywhere, even a flash drive or network path) and then press a key to terminate unnecessary programs; you have other options such as you can press ‘D‘ for Debug mode (more on that below), press ‘U‘ to check for updates, or press ‘C‘ to show the configuration interface.  Note that pressing ‘C’ for the configuration interface or ‘U’ to check for updates requires write access to the current KillEmAll path.

If your Windows is configured with UAC enabled (default) then you can right-click and choose Run as Administrator to kill all other programs running under an Administrator/System account (this is not necessary if you configure KillEmAll to Always Run as Administrator on startup.)

After completing the task of terminating all unnecessary processes, you the option to press ‘L‘ to generate a log file.  If at any time you do this, the log file will be saved with any results from terminating processes both past and future within the same KillEmAll session, even if elevating to Administrator or TrustedInstaller from within KillEmAll.  The log file will be displayed when KillEmAll closes.

Hold down the CTRL key while starting KillEmAll to start immediately in DEBUG mode, allowing you to terminate each process one by one, optionally skipping termination of certain processes, and (with v21.1.4 or later) optionally allowing you to Search the web for each process name you are about to terminate.  With v21.11.26 and later you have the ability to configure different web search engines so you are not restricted to Google.  With v21.11.30 and later you have the options to add the process to an allowed programs list so that it is ignored in the future, and you have the option to block the program from running (this is a system wide setting that applies whether KillEmAll is running or not.)

Hold down the SHIFT key while starting KillEmAll to automatically run under the TrustedInstaller account, bypassing the security permissions of other processes.

Obviously, any data used by the applications being closed, if not previously saved, will be lost!

• Run “KillEmAll.exe /?” from a console window to see current command line arguments for scripting purposes.
• Run “KillEmAll.exe /auto” to ensure KillEmAll runs automatically without prompting the user before or after running.
• Run “KillEmAll.exe /auto /log[=file]” to run automatically and log to a file.
  • ex. KillEmAll.exe /auto /log  (this will create a file named “KillEmAll_Log.txt” in the current directory.)
  • Optionally specify a filename or a full path and filename; if path or filename contains spaces you must wrap in quotes:
    • ex. KillEmAll.exe /auto /log=log.txt
    • ex. KillEmAll.exe /auto /log=”some log.txt”
    • ex. KillEmAll.exe /auto /log=”c:\some path\some log.txt”
• Run “KillEmAll.exe /debug” to start KillEmAll in DEBUG mode, allowing you to terminate each process one by one, optionally skipping termination of certain processes (this will override the /auto switch.)
• Run “KillEmAll.exe /config” to force Configuration mode (requires v21.11.26 or above.)
• Run “KillEmAll.exe /update” to update only and then exit (requires v21.11.26.3 or above.)

• v23.3.21
  • Updated internal whitelist for newer Windows 10/11 critical processes that have appeared with recent Windows updates.
•  v21.12.21.1
  • Updated to work when run from inside Windows Terminal (without killing itself or any other tabs open in the same Windows Terminal session!)
•  v21.12.20
  • Added config setting to log skipped processes in Debug mode.
•  v21.12.13
  • Fixed an issue with a very specific incorrect instance of file hashing causing a re-upload of the file to VirusTotal, and the function never retrieves a result, it just continued to upload any time the file is queried subsequently.  The fix actually requires .NET Framework 4.0, if it isn’t installed the potentially incorrect code will be used (but this appears to be an issue on Windows 10, and since all versions of Windows 10 will .NET Framework 4.0, you can always expect a correct result.
  • Fixed tab order on the KillEmAll Configuration dialog.
•  v21.12.12
  • Now prints “Skipped [process name]” when selecting to not terminate a process in Debug mode, and also affirms when you select to add a process to the Allowed Programs list.
  • VirusTotal scan date now prints in local time instead of UTC; also removed file hash from VirusTotal result as it was unnecessary.
  • Press “0L” (that’s ZERO + L) at the starting or ending prompt to delete the log file. This option is not printed in the menu.
•  v21.12.11
  • Added Debug mode option to Press ‘V’ to query VirusTotal.  Requires a VirusTotal API key, learn how to obtain one here (you just need to register an account with the VirusTotal Community.)  The option will only appear in Debug mode when you have the API key configured in KillEmAll Configuration.
•  v21.12.9
  • Internal Name in Debug mode file information will now only be shown when it differs from the actual filename (the same behavior as the Original Filename attribute.)
•  v21.12.8
  • Added digital signature verification and hidden file detection to the file information provided through Debug mode.
  • Added Debug mode option to Press ‘P‘ to open a command prompt in a new console window with directory automatically changed to the target file path.
  • Changed file information alert when a file has been modified from its original filename to only display if the original filename isn’t the same as the current one, but with a “.mui” on the end (files of the same name but ending in .mui will now be ignored.)
•  v21.12.7.2
  • Added automated whitelisting of any executable running from the d7x\3rd Party Tools path when an active d7x session is found.
  • Modified menu prompts on screen to format better when running in smaller 80-column console windows (Windows 7 and earlier) vs. the default 120-column console found in Windows 10/11.
•  v21.12.2.3
  • Pressing an invalid key in Debug mode no longer terminates the process (as if you had pressed the default ‘Y‘ key) now you can only press ‘Y‘, Spacebar, or ENTER to terminate the process.
• v21.12.2.1
  • Added config option to always display extended file information in Debug mode.
  • Added Debug mode option to Press ‘H‘ to display the Help menu.
• v21.12.2
  • Added Debug mode option to Press ‘I’ to print Information on a file (e.g. version, last modified date, several internal file strings like product name, company, file description, etc., and MD5/SHA256 file hashes.)
  • Added Debug mode option to Press ‘O’ to open the file path in Windows Explorer.
  • Improved application flow around d7x integration, including providing additional on screen information.
• v21.12.1.1 – Added d7x integration when an active d7x session is located on the system (KillEmAll does NOT need to be located in the same directory as d7x, but only if d7x is run prior to KillEmAll.)
  • Debug mode contains two additional d7x related options:  (Note d7x MUST be in an active session, meaning it has been run on the system at least once before.)
    • Press ‘E’ to Examine file with d7x.
    • Press ‘R’ to start a Registry search with d7x.
  • If a KillEmAll_Log.txt file exists in the same directory as KillEmAll.exe, it will still be used, otherwise one will be created in the current d7x Reports directory instead.  (Active d7x session required.)
  • Additional behaviors when an active d7x session is detected on the system (or if KillEmAll.exe is located in the same directory as a d7x vX.X.X.X.exe file, an active d7x session is not necessary):
    • If a KillEmAll_Allowed.txt doesn’t exist in the current directory, the d7x KillEmAll whitelist will be used.
    • If a KillEmAll.cfg file doesn’t exist in the current directory, one will be used inside the d7x Config directory.  In this way, KillEmAll preferences will be saved along with your d7x Config.
  • Pressing ‘I‘ at either the KillEmAll starting or finished prompt will show info on what config, definitions, and report files are being used, whether or not d7x is in an active session, and if any command line arguments were passed.
• v21.12.1
  • Since program blocking of Windows Store Apps doesn’t work like it does with native Win32 programs, this release adds detection of Windows Store Apps when in Debug mode to warn the user that program blocking won’t work with the app.  The option to block a Store App may be removed entirely in the future, although it will still allow you to create the program block setting for now, just in case we discover that it works with some Store Apps.
• v21.11.30
  • Added an Allow list, so programs on this list will not be terminated. You can add to the Allow list either by pressing ‘A‘ in Debug mode, or through KillEmAll Configuration.
  • Added ability to Block programs from execution, meaning they cannot run. This is a system-wide setting and takes effect even after KillEmAll is closed. Add to the Blocked programs by pressing ‘B‘ in Debug mode, and remove the block in KillEmAll Configuration. Note that KillEmAll must be Run as Administrator to enable the add/remove block functionality.  Note that program blocking does NOT work with Windows Store Apps!
  • NOTE: Some Debug mode hotkeys have changed due to new features (see above!)
  • You can now Run as TrustedInstaller directly from Standard User mode at any prompt you would normally also be allowed to Run as Administrator OR by simply holding the SHIFT key while starting KillEmAll normally (this is not available when KillEmAll is running from a network drive, from there it must progress to Administrator first then TrustedInstaller .)
  • KillEmAll previously didn’t show the ending menu/prompt after process termination when it was run by typing “killemall” at a command prompt/console window, this was by design but due to other functionality it needed to be changed, so now it shows the ending menu/prompt regardless of how you launch KillEmAll.
  • Fixed an issue when passing /log=”alt_log_filename.txt” but relaunching KillEmAll as Administrator or TrustedInstaller was losing the custom filename originally passed to KillEmAll.exe, now it preserves the file name (or full file path) passed when relaunching itself.
  • KillEmAll now remembers if you selected to create a log file (or if the /log command line argument was passed) when relaunching itself (as Administrator or TrustedInstaller), and so it will automatically log the new sessions, showing you the final log when you close KillEmAll as expected.
  • Fixes and tweaks to functionality and application flow when KillEmAll doesn’t have write access to its own directory (preventing Config from saving or Updates from being installed.)
  • Other minor fixes and tweaks.
  • v21.11.30.1 – Added ability to skip terminating the remaining processes (or not) when quitting Debug mode by pressing ‘Q’ before it has completed.
  • v21.11.30.3 – Added a ‘dummy EXE’ to install to C:\Windows by default when blocking a program, because the program blocking requires a redirected executable, or a dummy.  In the previous two releases KillEmAll configured the dummy as “cmd.exe /c echo.” which satisfied Windows so that it didn’t throw “File not found” errors when the blocked program tried to run, however this caused a brief console window (command prompt) to flash on screen every time a blocked program ran.  With this release a dummy EXE runs silently and uses no resources, terminating instantly, so that your applications in the foreground do not briefly lose focus with a flashing console window.  Note any programs blocked with the previous two releases should be blocked again.  This setting can be disabled in Config, (uncheck “Prevent File Not Found Errors” under the Blocked Programs list.)
•  v21.11.29
  • Added the option to Press ‘R‘ to Run KillEmAll again after any KillEmAll process termination run, in addition to ‘D‘ for Debug mode, ‘C‘ for Config, and ‘U‘ to check for updates.
  • Pressing ‘L‘ to save the log file when prompted will automatically save the entire session (both past and future results) recorded within the same KillEmAll process.
  • Fixed process termination result not appearing directly under the process to terminate when selected in Debug mode (a recent problem that only occurred with the previous update.)
  • Fixed an annoying issue with occasional new line characters (CRLF) appearing as a character on screen rather than moving the cursor to a new line position, causing confusing/jumbled text on the screen.
• v21.11.27.x
  • Added config option to automatically terminate processes on startup.
  • Added ability to Press ‘C’ for KillEmAll Configuration at any prompt, even during Debug mode.
  • Process termination speed increased quite a bit (previously, for each process the text output was written to the console window before moving on to the next process, but writing to the console window each time was proving to be a slow task; with this version all processes are terminated before any output is written to the console window.)
  • Added wrapping quotes around search strings when using the WebSearch option in Debug mode.
• v21.11.26.x
  • Added at the startup prompt a Press ‘U’ to update KillEmAll and Press ‘C’ to access the configuration interface with several options.
  • Config options include “Always Run as Administrator” on startup and you now have a choice of Web Search engines (not just Google.)  This will save (and require) a KillEmAll.cfg file in the same directory as KillEmAll.exe…
  • Added Debug mode option to Press ‘A’ at any time to Abort Debug mode and terminate ALL remaining processes.  Starting with this release, the default is to search by filename only when searching the web for a process (this can be changed in configuration.)  Introduced ‘/config’ and ‘/update’ command line arguments.
• v21.11.12.1
  • Added additional internal whitelisting for Windows 10/11 based components
  • Implemented a [Press ‘D’ for debug, or any other key to start…] prompt when initially starting KillEmAll without command line arguments or holding down special keys,
  • Tweaked the command line arguments (/auto is now requried for complete automation)
  • Removed the “Mini” from the name “KillEmAll Mini” while removing downloads for all other KillEmAll variations except KillEmAll.NET (which was also recently updated.)
• v21.1.27 – Corrected an issue that could cause KillEmAll to hang when attempting to terminate certain processes.
• v21.1.5.2 – Adjusted timing for an issue with incorrectly reporting ‘Terminated=FALSE’ when it was in fact terminated.
• v21.1.5.1 – Debug mode now terminates or skips multiple processes of the same name with one user prompt.
• v21.1.5 – Fixed a crash issue on Windows XP; minor tweaks to display output.
• v21.1.4 – Added option to press ‘G‘ to ‘Google’ the process name while in debug mode.
• v20.12.31 – Added options to generate a log file, to run as Administrator or TrustedInstaller, and added a debug mode!
• v20.12.28.1 – No longer attempts (and fails) to terminate a few Windows Defender processes.
• v20.12.28 – Now displays a console window showing each process terminated.
• v19.4.15 – Now terminates processes roughly 5x faster!

• All versions work with Windows Vista, 7, 8, 8.1, 10, and Windows 11.
• Windows XP compatibility has been officially abandoned in current releases, and no future support will be provided.  KillEmAll does terminate processes on Windows XP, but whether or not all of the menu prompts work as expected is not guaranteed.  The automation-based command line arguments /auto and /log should function as expected.
• v21.12.21 and above now work when run from inside Windows Terminal (and does not terminate any other tabs in the same Windows Terminal session.)